access-tokens
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Executable Bash scripts (tfy-api.sh, tfy-version.sh) are used to perform API operations and environment checks. These scripts utilize standard system utilities like curl and pip and include validation logic to prevent path traversal in API requests.
- [EXTERNAL_DOWNLOADS]: The skill documentation references external container images from trusted and well-known sources including AWS Public ECR, GitHub Container Registry, and NVIDIA GPU Cloud for deploying various workloads. It also recommends installing the truefoundry Python package for CLI functionality.
- [DATA_EXFILTRATION]: Network operations are directed to the vendor's API endpoints (TrueFoundry). Authentication tokens are handled as environment variables or read from a local .env file, which is the expected and standard behavior for this tool's administrative functionality.
- [PROMPT_INJECTION]: The skill instructions include explicit security policies for the agent, such as the 'Token Display Policy', which mandates that tokens are only shown once upon creation and never stored or logged, protecting against accidental credential exposure.
Audit Metadata